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U: Abstract 

Recently Bu and Wang [1] proposed a simple modulation method aiming to im- 
prove the security of chaos-based secure communications against return-map-based 
attacks. Soon this modulation method was independently cryptanalyzed by Chee et 
al. [2], Wu et al. [3], and Alvarez et al. [4] via different attacks. As an enhancement 
^ — , to the Bu-Wang method, an improving scheme was suggested by Wu et al. [3] by re- 

moving the relationship between the modulating function and the zero-points. The 
present paper points out that the improved scheme proposed in [3] is still insecure 
against a new attack. Compared with the existing attacks, the proposed attack is 
more powerful and can also break the original Bu-Wang scheme. Furthermore, it is 
pointed out that the security of the scheme proposed in [3] is not so satisfactory 
from a pure cryptographical point of view. The synchronization performance of this 
class of modulation-based schemes is also discussed. 



1 Introduction 



Since the early 1990s, the use of chaotic systems in cryptography has been 
extensively investigated. There are two main classes of chaotic cryptosystems: 
analog [5,6] and digital [7]. Most analog chaotic cryptosystems are secure 
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communication systems based on synchronization of the sender and the re- 
ceiver chaotic systems [8], where a signal is transmitted over a public channel 
from the sender to the receiver, and decryption of the plain-signal is realized 
via chaos synchronization at the receiver end. According to the encryption 
structures, most analog chaos-based secure communication systems can be 
classified into four categories: chaotic masking [9, 10], chaotic switching or 
chaotic shift keying (CSK) [11,12], chaotic modulation [13,14], and chaotic 
inverse system [15]. Meanwhile, some cryptanalysis work has also been de- 
veloped, and many different attacks have been proposed to break different 
types of chaos-based secure communication systems: return-map-based at- 
tacks [16-18], spectral analysis attacks [19,20], generalized-synchronization- 
based attacks [21, 22], short-time-period-based attacks [23, 24], prediction- 
based attacks [25,26], parameter-identification-based attacks [27-30], and so 
on. 

Since many early chaos-based secure communication systems are found inse- 
cure against various attacks, how to design robust chaos-based secure commu- 
nication systems against the existing attacks is always a real challenge. The 
following three types of countermeasures have been proposed in the litera- 
ture: 1) using more complex dynamical systems, such as hyperchaotic systems 
or multiple cascaded heterogeneous chaotic systems [31]; 2) introducing tra- 
ditional ciphers into chaotic cryptosystems [32]; 3) introducing an impulsive 
(also named sporadic) driving signal instead of a continuous signal to real- 
ize modulation and synchronization [33]. The first countermeasure was found 
lately remaining insecure against some specific attacks [26,28,34,35], and some 
security defects of the second have also been reported [36] . 

In [1], a simple modulation method was proposed by Bu and Wang to enhance 
the security of some chaos-based secure communications against return-map- 
based attacks. A periodic signal is used to modulate the transmitted signal 
in order to effectively blur the reconstructed return map. Although this mod- 
ulation method can frustrate return-map-based attacks, it was soon broken 
independently in [2-4] with other different attacks, some of which rely on 
the embedded periodicity of zero-crossing points of the modulating signal. To 
further improve the security of the original Bu-Wang modulation method, a 
modified modulating signal was then suggested in [3] to cancel the embedding 
regular occurrence of zero-crossing points in the transmitted signal. 

This paper points out that the modified modulation method proposed in [3] 
is still insecure against a new attack that cab restore the return map. The 
secret parameters of the modulating signal can be approximately identified 
via the proposed attack. Compared with other attacks, the new attack is 
more powerful which can also break the original Bu-Wang modulation scheme. 
Furthermore, it will be pointed out that from a cryptographical point of view 
the modulation method itself is not so satisfactory in enhancing the security of 
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the chaotic cryptosystems even when the modulating signal is secure enough. 

The rest of this paper is organized as follows. In Sec. 2, the modulation method 
and related attacks are briefly introduced. Section 3 shows how the new attack 
breaks the scheme based on the modified modulation method. Some general 
discussions on practical performance of this class of modulation-based methods 
under study are given in Sec. 4. The last section concludes the paper. 



2 The modulation method and related attacks 

To introduce the modulation-based method, the Lorenz system is used to 
construct a secure communication system. The sender system is 

xi = a(x 2 - Xi), 

x 2 = rxi - x 2 - XiX 3 , (1) 
x 3 = X\X 2 - bx 3 

and the receiver system is 

Vi = o{y 2 - yi) + c(s(x, t) - s(y, t)), 

y2 = ry!-y 2 -yiy 3 , (2) 
h = yiy2 - by 3 , 

where a, b, r are parameters of the system, x = (x±, x 2 , x 3 ) and y = y 2 , y 3 ) 
are state variables, c denotes the coupling strength, and s(x, t) = g(t)xi(t) 
is the ciphertext transmitted over the public channel for information carry- 
ing and chaos synchronization. Accordingly, s(y,t) = g(t)yi(t). In [1], g(t) 
is selected as the product of a cosine signal and another system variable: 
g(i) = Acos(uot + (j)Q)x 3 (t). When the above system runs in a chaotic masking 
configuration, s(x, t) = g(t)xi(t) +i(t), where i(t) is the plain-message signal. 

In the above secure communication system, the secret key consists of the 
system parameters of the Lorenz system (a, b, r) and the parameters of the 
modulating signal (cu, <f>o). Note that A should not be used as part of the key, 
since it does not influence the shape of the return map (just change the size). 
To facilitate the following discussion, without loss of generality, the parameters 
are fixed as the default parameters used in [1]: a = 16, r = 45.6,6 = 4.0, 
A = 0.5, uj = 1.5,0o = 0. In the chaotic masking configuration, the plain- 
message signal is assumed to be i(t) = O.lsin(t); in the chaotic switching 
configuration, the value of b switches between b = 4.0 and bi = 4.4. 

The purpose of using g(t) is to frustrate return-map-based attacks, proposed 
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a) chaotic carrier: Xi(t) 



b) chaotic masking 
x 1 (t)+i(t) 



c) chaotic switching 

Xi(t) 



d) chaotic carrier: 
g(t)xi(t) 



e) chaotic masking: 

0(t)zi(t) + i(t) 



f) chaotic switching: 
g{t)xi(t) 



Fig. 1. Return maps (^4 n vs -B n , the same thereinafter) reconstructed under different 
conditions. 

previously in [16]. In common chaotic masking systems, s(x, t) = Xi(t) +i(t), 
where i(t) is the plain- message signal whose energy is much smaller than that 
of Xi(t); and in common chaotic switching systems, s(x, t) = X\(t). Following 
[16], two return maps, A n vs B n and (— C n ) vs (—D n ), are defined as follows: 
A n = Mi Sn = X n -K„, C n = ^±i±^, = Y n -X n+1 , where X n and F m 
are the n-th (local) maxima and the m-th (local) minima of the transmitted 
signal, respectively. Since the A n vs B n map is identical to the (— C n ) vs (—D n ) 
map, in this paper only the former will be considered. Once an attacker gets 
the A n vs B n return map, he can use the attack method proposed in [16] to 
break both the chaotic masking and the chaotic switching systems. 



In Fig. 1, some return maps reconstructed under different conditions are 
shown, from which it seems that the modulating function g(t) = Acos(ut + 
00)^3 {t) can effectively blur the return maps and so frustrate the attackers. 
However, as pointed out in [2,3], the modulating signal will introduce regular 
zero-crossing points in the transmitted signal g(t), which makes it possible to 
distinguish the value of to via spectral analysis [2] or autocorrelation analy- 
sis [3]. Also, it was shown in [4] that the power spectrum of |s(x, t)\ can be 
used to estimate the value of uj. Moreover, the value of <fio can be simulta- 
neously obtained via autocorrelation analysis [3] or separately by detecting 
zero-crossing points at intervals equal to j- [4]. A direct extraction of the bi- 
nary plain-message signal from the transmitted signal has also been discussed 
in [4] for the chaotic switching configuration. 
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To resist the proposed attacks, a modified modulating signal was suggested 
in [3]: g(t) = A(cos(ut + O ) + M)x$(t), where M > 1. It was claimed that 
such a simple modification can eliminate the security defect of the original 
scheme and can also improve the synchronization performance. The default 
parameters of the modified scheme are identical to the ones used in the original 
Bu-Wang scheme, except (fro = 0.3. 



3 Breaking the scheme based on the modified modulation method 

In this section, we show that the modified modulation method proposed in [3] 
can still be easily broken via a new attack, which is designed based on param- 
eter estimation from the transmitted signal s(x, t). It will be shown that the 
proposed attack works for both chaotic masking and chaotic switching config- 
urations. The most significant feature of the new attack is its independence 
of the zero-crossing points and its robustness with respect to different values 
of W, 0o and M. This new attack is also able to break the original Bu-Wang 
scheme. This paper further points out that the modulation method itself is not 
very satisfactory from a cryptographical point of view, even if the modulating 
signal itself can be designed to be extremely secure against attacks. 

3. 1 Breaking the values of uj and (fro 

Assuming go(t) = A(cos(ut + (fro) +M), where M > 1 implies go(t) > 0. Thus, 
|s(x, t)\ = \go(t)xs(t)xi(t)\ = go(t)\x 3 (t)xi(t)\, which means that the ampli- 
tude of \x3(t)xi(t)\ is periodically modulated by go(t) at a fixed frequency 
uj. Consequently, there exists an embedded periodicity in the amplitude of 
|s(x, t)\, just like the embedded periodicity in the zero-crossing points dis- 
cussed in [2-4]. See Figs. 2a and b for a comparison of the waveforms of 
s(x, t), |s(x, t)\ and go(t), in the chaotic masking configuration with i(t) = 0, 
where the waveforms of s(x, t) and |s(x, t)\ have been normalized to make 
the display clearer. One can see that the periodicity occurs as a clear en- 
velop of the amplitude of |s(x, t)\. After filtering |s(x, t)\ with an averaging 
filter, one can dramatically refine the periodicity, as shown in Fig. 2c, where 
s(x, t) = |s(x, t)\ © fait, 4) has also been normalized for a better display and 
the employed averaging filter f a (t, h) is defined as follows: 



Here, © denotes the convolution operation and the value of h should be chosen 
close to uj to get a smooth filtered signal s(x, t). For this purpose, a rough 
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estimation of uj can be easily obtained from |s(x, t)\ as shown in Fig. 2b. Note 
that any other averaging filter may be used instead of the above triangular 
one. 

From Fig. 2c, it is clear that one can easily get an accurate estimation of uj and 
0o, thanks to the global phase matching between s(x, t) and go(t). Of course, 
some other estimation algorithms, such as the autocorrelation identification 
method proposed in [3], can be employed to further improve the accuracy 
of the estimation. When a plain-message signal is carried in the transmitted 
signal s(x, t), the above estimation algorithm still works well as shown in Fig. 
2d, which is attributed to the sufficiently small energy of the plain-message 
signal. Also, it is obvious that the above algorithm works well for the chaotic 
switching configuration (see Fig. 3 for a breaking result). 

From the above discussion, it seems that the performance of the proposed 
estimation will gradually decrease as uj increases, since the averaging filter 
f a {t, h) may produce unsatisfactory results. This looks like a defect of the pro- 
posed attack. However, our experiments show that when uj is relatively large, 
it becomes possible to directly estimate the values of uj and 4>o from |s(x, t)\ 
only (even without using average filtering). When uj = 13.6 1 , for example, 
the waveforms of |s(x, t)\, s(x, t) and go(t) are shown in Fig. 4, where the pa- 
rameter of the averaging filter is chosen as h = 0.2. Note that the positions of 
local minima of |s(x, t)\ coincide very well with those of go(t), although s(x, t) 
becomes less clear. This demonstrates that the proposed attack method is 
rather robust to different values of uj and O - 

It is worth mentioning that the value of uj can also be derived via spectral 
analysis: simply, calculating the power spectrum of s(x, t) and extracting the 
spectrum peak at the frequency uj. In fact, such a direct spectral analysis 
for estimating uj works even without using average filtering, as shown in [4]. 
This is because the following property of Lorenz-like chaotic systems [24,37]: 
although X\{t) of the Lorenz system has a wideband spectrum as shown in 
Fig. 5a, the absolute- valued signal |aq(t)| has a prominent spectrum peak at an 
inherent frequency f z , which is uniquely determined by the system parameters 
a, b and r and is independent of the initial conditions. See Fig. 5b for the 
power spectrum of |aq(i)|- This is also true for x 2 (t). For x 3 (t), the operation 
is even simpler: x^(t) itself has a prominent spectrum peak at the inherent 
frequency f z . This implies that |s(x, t)\ = go(t)\x3(t)xi(t)\ will have at least 

two prominent spectrum peaks, at f z and f u — — (Hz), respectively. See Figs. 

2% 

5c and d for a comparison of the power spectra of s(x, t) and |s(x, t) | . It can be 



This value is intentionally set to be identical to the inherent frequency 2irf z of 
the Lorenz system, so as to emphasize on the robustness of the proposed attack. 
Some explanations of the inherent frequency of the Lorenz system are given in the 
following paragraphs. 



6 



1 





-0.5 
-1 



^ /\','« !\ m >\ a /r?i »\ r\ <v,'> * ? a /; '\ va ? 




' 4 / 




v r 








\ I 









10 20 30 40 50 60 70 80 90 100 

t 

a) s(x, t) vs <7o(0 = ^4(cos(W + O ) + M), when z(£) = 




100 



b) |s(x,£)| vs g (t) = A(cos(cot + O ) when z(£) = 



: A »' 'i " A 

1 1\ A rt K / 
i/ \ /\ /\ /\ /\ / 


r< t 
l> I 1 

rt 


r, 7 (I 'i " ,i ' '< '« m A 

H Ia A ' " 'a' A 1 K> N A '« 

1 A ll n A M fl ii M n A 1 


<, ' i| ii ' 

\ ft A' A 1 


J{ If, U W H 1 
,( 11 i 1 

>/ V V v 


1, 1, II 

>/ »/ I' 

i 


1/ \l V \i 1/ \/ 1/ 1/ U \i 1/ 

m y i , .v y y, , y, y ^ v, 

' ' 1' 1 w ,< , 1 ' »l I 


V M M i' 
i' i i' \ 

J \ V J 



0.5 



10 20 30 40 50 60 70 80 90 100 

t 

c) s(x,£) vs g-o(^) = A(cos(u;£ + O ) + Af), when i(t) = 




d) s(x, t) vs g- (*) = A(cos(u;t + O ) + Af), when i(t) = 0.1 sin(i) 

Fig. 2. Breaking the values of u and </>o in the chaotic masking configuration, where 
and throughout the paper the dashed line is go(t). 



seen that the first prominent peak is at the frequency f u and the second at f z . 
Apparently, u can also be obtained from f u as u = Following [24,37], 

such an inherent frequency also exists in Chua and Rossler systems, so the 
same spectral analysis is also available for attacking these two chaotic systems 
widely- used in chaos-based secure communications. At present, it is not clear 
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Fig. 3. Breaking the values of u and cfto in the chaotic switching configuration: s(x, t) 
vs g (t) = A(cos(ujt + 0o ) + M). 
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b) s(x, t) vs g (t) = A(cos(ujt + <j) ) + M) 
Fig. 4. Breaking the values of lo and (fio in the chaotic masking configuration. 

whether there exists any chaotic system that has no distinguishable inherent 
frequency. 

Compared with the spatial attack proposed above, the existing spectral attack 
has some defects: 1) it cannot work well when lu w j z \ 2) the value of </>o 
cannot be simultaneously estimated with u in the frequency domain; 3) if 
there does not exist a strong DC component in \x%(t)xi(i)\ (e.g., if some other 
chaotic systems are also used), j w will not occur as a prominent peak in 
the power spectrum 2 ; 4) when other chaotic systems are used instead of the 
Lorenz system, the inherent frequency may not exist (though unlikely) or the 
frequency f u might not be easily identified from the power spectra. 



2 Although f z ± fu always occur as two minor peaks, they are generally less distin- 
guishable than the individual major peaks at / w and f z , respectively. 
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01 23456789 10 

frequency (Hz) 

b) the relative power spectrum of 
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d) the relative power spectrum of |s(x, t)\ 

Fig. 5. The relative power spectra of xi(t), \xi(t)\, s{pc,t) and |s(x,i)|. 

Finally, let us see how the proposed attack works on the original Bu-Wang 
scheme, where the condition is somewhat different since go(t) = A cos(ujt + <j) ) 
is not always positive. In that case, one has 
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a) s(x, t) vs go(t) = Acos(ut + 
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b) |s(x,t)| vs \g (t)\ = \Acos{ut + <f> )\ 




c) s(x,t) vs |^ (t)| = |Acos(u;t + O )| 

Fig. 6. Breaking the values of uj and c^o in the original Bu-Wang scheme, where the 
dashed line denotes either go(t) or |go(*)|- 



\s{x,t)\=A\coB(ut + <j>o)\ ■ |x 3 (*)zi(t)| 
A 



-j= ■ sj\ + cos(2cut + 20 o ) • \x 3 (t) Xl (t)\. 



Thus, with the above-described attack we will get 2u and 20 o , which can 
be easily halved to obtain the values of u and <p Q . In Fig. 6, the result of 
breaking the chaotic masking configuration with i(t) = of the original Bu- 
Wang scheme is shown, where a different averaging filter, f' a (t, 1), is used to 
make s(x, t) smoother: 



fa(t,h) 



1 (o S (t^), |t| </l 



\2h ) 



\t\ > h. 



(4) 
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From the above analysis, one can see that the attack proposed in this subsec- 
tion can work for not only the original Bu-Wang scheme but also some other 
scheme if the modulating signal go(t) is periodic (which need not be a simple 
sinusoidal or cosine signal). Therefore, an aperiodic or even chaotic modulat- 
ing signal go(t) has to be used to enhance the security. However, in this case 
the synchronization of the modulating signal itself becomes a new problem, 
which will be further discussed in Sec. 4.2. 



3.2 Breaking the value of M 



Once the values of uo and <p are known, one can further break the value of M 
via an iterative process, and then get rid of the blurring effect on the return 
map by removing g (t) from s(x, t). To do so, define an auxiliary signal 

sf x t) - S ( X ^) _ cosM + 0q) + M 

S(X ' t] - cosM + O ) +M>~ cosM + O ) + M> Ax ^ x ^ W 

where M' is an estimation of M. Apparently, it is expected that the closer the 
value of M' is to M, the closer the signal s(x, t) is to £ 13 (t) = Ax 3 {t)x 1 (t). As 
a natural result, if M' changes from a value larger than M to a value smaller 
than M, i.e., (M' > M) — > (M' < M), the behavior of s(x, t) will gradually go 
closer to xis(t) and then turn gradually far away from £13 (t) once M' crosses 
the point M' = M. Therefore, there exists a global minimum at the point 
M' = M. The existence of such a global minimum can be easily checked by 
observing the reconstructed return map from s(x, t) or |s(x, t)\. In Fig. 7, the 
return maps constructed from |s(x, t)\ with respect to different values of M' 
are shown. The reason why |s(x, t)\ is used is that this reconstructed return 
map has a simpler structure than the map reconstructed from s(x, t). The 
following features can be found from the maps: 

(1) The closer the value of M 1 is to M, the thinner the branch width and the 
closer the return map reconstructed from |s(x, t)\ is to the return map 
from |£i 3 (t)|. 

(2) The shape of the return map is related to the relation between M' and M: 
the two edges of the right-bottom branch are both clear when M' > M, 
while only the left edge is clear when M' < M. When M' is closer to 
M, the above characteristic is a little different: the right edge is (not so 
much) clearer than the left one when M' > M, while the left edge is 
much clearer than the right one when M' < M. 

The first feature above means that one can approximately know the distance 
between M' and M by measuring the width of the right-bottom branch of the 
return map, and the second feature means that one can exactly know whether 
M' > M or M' < M. Note that the branch width and the clearness of the two 
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g) M' = M- 0.02 


h) M' = M — 0.04 


i) M' = M — 0.06 



Fig. 7. Return maps reconstructed from |s(x, t)| with different values of M'. 

edges of the right-bottom branch can be quantitatively defined by different 
methods. For example, some algorithms can be used to extract the skeleton 
and the two edges of the branch, and then determine the two measures. In 
fact, in real attacks, an attacker can directly get a rough estimation of the 
measures by naked eye, and then manually carry out the following iterative 
algorithm for several times to find a sufficiently accurate estimation of M. 

Given a lower bound M_ < M and an upper bound M + > M, the iterative 
algorithm is as follows: 

• Step 1 - Initialization: Set i — 1, M_ = M_, M+* = M + , and determine the 
number of iterative rounds, m (which is used to achieve a desired precision, 
as further explained later). 

• Step 2: Among the following n + 1 values, 



n 




(6) 



j=0 
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a) The return map reconstructed b) The return map reconstructed 
from |s(x, t)\ from s(x, t) 

Fig. 8. The return maps reconstructed from |s(x, t)\ and s(x, t) when M' = M+0.01 
in the chaotic switching configuration. 



find two consecutive ones satisfying M[ j_ x < M and M- j > M. 

• Step 3:lii<m } then increase i by 1, set M® = M^_ l5 M+ = M^, 
and goto Step 2; otherwise, stop the algorithm and output an estimation 



Apparently, the above iterative algorithm is rather similar to the numerical al- 
gorithms for solving algebraic equations for roots [38]. It can be easily deduced 



that the estimation accuracy after m rounds is 
a predefined accuracy e > 0, it is required that 
m > — — — — 2S ' . lakme m 

OCTr, 77. ° 



M-M 

M+-M- 
2n" 



< 



M+-M- 
2n m 



To achieve 



< e, and then one gets 



the complexity 



" log 2 (M + -Af_)-log 2 (2€) 
log 2 n 

of the above iterative algorithm is only 0(nm) = O (n ■ log2 7^~n~ log2 ^ 
which is sufficiently small for an attacker to carry out the algorithm manu- 
ally. When n — 3, the computing complexity is minimized, since the integer 
function f(n) = lo " - (n > 2) reaches the global minimum at n — 3. 



Although in theory the above algorithm can get an arbitrarily accurate esti- 
mation by increasing the round number m, the distinguishability of the return 
map reconstructed from a finite set of data will be insufficient when M' is too 
close to M. Fortunately, in this case, the return map will be sufficiently clear 
for an intruder to carry out the return-map-based attacks. Figure 8 shows the 
return map reconstructed from |s(x, t)\ and s(x, t) when M' = M + 0.01 in 
the chaotic switching configuration. It can be seen that such an accuracy is 
enough to break the 0/1-bits in the plain- message signal. 
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4 Discussions on the performance of the modulation-based meth- 
ods 

4-1 A cryptographical perspective 

From a cryptographical point of view, a modulating signal is not an effective 
tool for enhancing the security of chaos-based secure communications, due to 
the dependence of the secret parameters of the chaotic systems on the se- 
cret parameters of the modulating signal. In fact, to break the whole chaotic 
cryptosystem via a brute-force attack, what an attacker should do is to ex- 
haustively guess the secret parameters of the modulating signal, not all secret 
parameters (system parameters and modulating parameters). This means that 
the key space of the whole system is reduced to be m&x(K m , K c ), i.e., to be 
K m when K m > K c , where K m is the key space of the modulating signal and 
K c is the key space of the chaotic cryptosystem without modulation. However, 
for a good encryption algorithm, the key space should be always K m x K c [39]. 
To further enhance the modulation-based method, the modulating operation 
should be non-invertible, i.e., expressing s(x, t) = F(g (t),x), the function 
F(-, •) should be non-invertible with respect to x. However, with such a com- 
plicated modulating mechanism, the synchronization between the sender and 
the receiver may become much more difficult and be impossible under practical 
conditions (see the next subsection for further discussion on synchronization 
issues) . 



4-2 The synchronization performance 

In [3], it was found that "almost no value can achieve the synchronization 
when M — 0", i.e., when the original Bu-Wang scheme [1] is used. Our experi- 
ments support this claim. Furthermore, when go(t) = Acos(ut + <f>o), Matlab's 
numerical differentiation function, ode45 used in this work, fails (i.e., enters 
into a dead lock) with a high probability for many values of c. This implies 
that the original synchronization scheme proposed in [1] is ill-behaved in most 
cases. 

It can be confirmed that chaos synchronization of the modified scheme sug- 
gested in [3] can be achieved for a large range of values of c. This means 
that the modification in [3] really enhances the synchronization performance. 
For verification, a number of experiments were carried out to study the syn- 
chronization performance when go(t) is replaced by some other functions. As 
a surprising result, it was found that even a non-negative noise signal can 
make the receiver system synchronized well with the sender system. Figure 
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Fig. 9. The synchronization errors of the three system variables when 
g (t) = rand(t) G (0,1): \yi(t) - \y 2 (t) - x 2 (t)\ and \y 3 (t) - x 3 (t)\ (from 

top to bottom). 

9 shows the experimental result when go(t) = rand(t) G (0, 1) and c = 10. 
Some other signals were also tested, for example, g (t) = t 2 mod 1 and g (t) = 
(t cos(a;i + 0o)) mod 1, and it was found that chaos synchronization is achieved 
in both cases. At present, the reason behind this unexpected synchronization 
phenomenon is still not clear. 



5 Conclusion 

In [1], a simple modulation-based method was proposed to improve the secu- 
rity of chaos-based secure communications against return-map-based attacks. 
Soon this scheme was independently cryptanalyzed in [2-4] via different at- 
tacks. Then, in [3], a modified modulation-based scheme was proposed to 
enhance the security of the original one. This paper proposes a new attack 
to break the new modified scheme. Compared with previous attacks, the pro- 
posed attack is more powerful and can also break the original scheme in [1]. 
Based on all analysis and experimental results, the conclusion is that, from a 



15 



cryptographical point of view, the security of this class of modulation-based 
scheme is not satisfactory for secure communications. 
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